Warning: Make backup before you try this with your system. I suggest beginning with a fresh installation of Raspian Buster.

These commands suppose you have cryptsetupv2. This comes with Buster only. So update to Buster before when you try to encrypt on old system.

You need an external USB storage media in the setup process to temporarly store the systemfiles, this is NOT the backup as written above. Freespace should be about 1.5 times bigger then your current rootfs.

First to ensure that upon kernel updates everything keeps working we rebuild the initramfs upon update automatically. For initramfs working there must be the correct version in /boot/config.txt the following two scripts take care of this.

There is a built in update for the initramfs, but we move it to a safe place

Remember: These scripts built the initramfs only for the current kernel and RPi Type, so before inserting your SD-Card from RPi 3 to RPI 4 you have to manually generate the initramfs via sudo update-initramfs -c -k <kernel-version>

You can enter a password for the Key. Please do that, otherwise an adversary which gets the key could get your password if he eavesdropped the wire (don't know if this SSH setup uses forward secrecy).
Copy the key to your PC so that you can log into!

We add the dmcrypt mountpoint to fstab. Hint: The root= Parameter in cmdline.txt is for the Kernel at boottime. At a later stage (I think right before systemd starts) root "/" gets remounted to the value in fstab

Make sure you have done this, otherwise your installation is broken. It can be repaired, but I won't give support for that.

Now reboot. It stops in the initramfs. You can connect via SSH user "root" and the private key. Maybe your IP has changed. Simplest way is to connect a monitor and look for the IP address or watch in your router/DHCP-Server.
First execute

Don't know why in dropbear ssh shell the standard path enviroment doesn't include the sbin directories. In initramfs shell it is included in the Path. If somebody knows how to fix this permanently please write.

resize2fs will tell you the blockcount it reduced. Please note that down.
If you have an ext4 filesystem on your USB storage media you can mount it (you could also include ntfs-3g or other filesystems in initramfs, but that is not part of this tutorial), otherwise we write directly to the media.

Each ext4 block is 4KB, so multiplying the number of blocks gives you the filesystem size in KB. To speed things up we block copy (copying each file is quite slow) the whole filesytem.

dd if=/dev/mmcblk0p2 of=<mountdir or /dev/sda for direct copy, [b]attention all existing data on the USB device is lost then[/b]> bs=16M count=<count>

Get the count by dividing your blockcounts from resize2fs through 4 (short for *4 /16) round that number up. So e.g. if you get 323,524.25 use 323525 as count. dd in initramfs doesn't support status=progress so you won't see any progress. Make sure there are no errors during copy!

Hint: There is also a luks inplace enryption (cryptsetup-reencrypt). You could add that to your initramfs as well, but for data security reasons I feel more comfortable with this method.

We use 256 Bit AES (because of XTS we need 512 bit key, one half is for XTS). For password protetion against bruteforce we use the latest hash function argon2id which secures against bruteforce by dedicated hardware and side channel attacks (these one are not so important here). These is the safest setup I currenctly know. Please use a strong password / passphrase!
Type YES in uppercase letters to confirm overrding your existing files.

Now we need a keyboard (don't know how to drop out of dropbear busybox shell) and just type exit (you can type blindly). It now boots, dropbear ssh connection is lost and can be reached again via ssh to the full system.

Could be possible, but what you plan to do gives fake security.
Key space of serial is too limited to provide security. You could see the unlock code retriving the serial number. Sorry, I can't support you implementing unsecure encryption.